I doubt you can 'prove it' - even paypal advise typing in the URL to be absolutely sure.

Using https:// might help, I suppose - but it's the name in the address bar that is 'proof' of where the visitor is; even that may not match the page content, if frames are used ...

I was thinking of how I could generate some clever "click this to prove you're on our site!" type of thing....

Hmmm.

You couldn't do it alone, but you could set up a system of independent verification - they click on the link (each site has unique code), which takes them to the verifying site, with a safe link back.

Not foolproof, but it would make life difficult for the fraudster ...

I probably cannot post the link, but there is an independent organisation that does a similar job for health sites. The system could be improved to meet your needs.

Mods: Nothing above will take anyone to the site I'm thinking of; I've changed all the key terms.

This is what an SSL cert does.

:-)

You don't even need the entire site on https, you can just put one page on [somewhere.com...] and when they follow the link, instruct them how to open the lock icon to verify your identity.

Also having solid contact information (address and phone number) in a prominent location on every page of your site instills confidence, a spoof site is not likely to offer up such info.

maybe you could do something with cookies. cookies are site-specific, and can't be understood by other sites.
if you make a user enter something into the cookie (something that only he would know) and then display it on the page, then they would know that you have read the cookie.

you'd have to scramble it up in the cookie though, to be safe, and then unravel it on your site. just in case someone did manage to access their cookie.

This will work for registered visitors:

1. The next time a visitor logs into your site, ask them to select their favorite picture from a list of a few hundred pictures.

2. Every time they login after that, display that picture to them.

Even if someone copied your look/feel, they wouldn't know what picture the user had selected.

For best results, separate the username form from the password form. Display the picture after the user enters their username but before they enter their password. If it is the wrong picture or the picture is missing the user will know something is up.

This is surprisingly effective. If it is a site you use regularly, you will notice as soon as the picture is wrong/gone.

This sounds like pure genius!

So why doesn't everyone use something so beautifully simple?

Also having solid contact information (address and phone number) in a prominent location on every page of your site instills confidence, a spoof site is not likely to offer up such info.

Almost every spoof site I've seen - and I visit a fair few - has all that stufff - including links to "how to avoid spoofs" pages. They do it to instill confidence, so you think it's not a spoof site.

Ummm..... maybe I'm missing something here, but isn't that what an SSL certificate is for? I'm speaking of the third-party ones, such as Thawte or VeriSign, where they verify that you are who you say you are, and they also verify that the site in question belongs to you. People can click on the padlock to get the full cert information, thereby verifying that the site they are on is indeed yours.

Yes, thanks all that have replied, however all the responses so far are too difficult for Mr Average Joe to use - interrogating the secure padlock etc for the SSL Cert is waaaay more effort than what I was hoping for.
Re the picture presentation one - yes, I'd read recently about that, however this isn't a login site, but is still one that may get spoofed.

Got to be some innovative and dead simple (for the user) to do this - then again, I guess all the big banks have had their boffins working on just this....

Mr Bo Jangles
The ss is the easiest and simplest as you can pay the hosting com 50 bucks to set the SS certificate up pay 99 for 2 year certificate and you are in like flin..

You will have to buy the SS certificate as they require certian information to verify you are who u are etc. Once this is done send the url to the hosting co seting it up with the necessary log in info. They will install it for you. Be sure and verify they can as you may not have a hosting plan to allow this and verify the amount. My host charged me 50 so I assume it is a gong rate..

If you buy it under your domain remember to add in robots text disallow the https. and add nofollow tag to any link with https. keeps from getting indexed in https and http.

Add a link very noticalbe bigger font on the site in navigation say Verify Site open to the ss page were you can direct them to verify certificate and site owner.

Simple any avergage Joe can build the page all u need to do is pay about 140 to get the ss bought and installed...

SSL is the industry standard for doing this.

They really aren't that expensive... you just have to jump through some hoops to get one.